• No results found

Penetration Testing. What Is a Penetration Testing?

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Penetration Testing. What Is a Penetration Testing?"

Copied!
15
0
0

Loading.... (view fulltext now)

Download now ( 15 Page )

Full text

(1)

Penetration Testing

12/7/2010 Penetration Testing 1

What Is a Penetration Testing?

• Testing the security of systems and

architectures from the point of view of an attacker (hacker, cracker …)

(2)

Penetration Testing Is Not…

• An alternative to other IT security measures – it complements other tests

• Expensive game of Capture the Flag • A guarantee of security

12/7/2010 Penetration Testing 3

Authorization Letter

• Detailed agreements/scope

– Anything off limits? – Hours of testing?

– Social Engineering allowed? – War Dialing?

– War Driving?

(3)

To Tell or Not to Tell?

• Telling too many people may invalidate the test

• However, you don’t want valuable resources chasing a non-existent “intruder” very long • And, elevation procedures make not telling

risky

12/7/2010 Penetration Testing 5

Black Box vs. White Box

• It treats the system as a "black-box", so it doesn't explicitly use knowledge of the internal

structure.

• It allows one to peek inside the "box", and it focuses specifically on using internal

(4)

7

OSSTMM

• OSSTMM – Open-Source Security Testing

Methodology Manual

• Version 3.0 RC 26 at www.osstmm.org

http://www.isecom.org/projects/osstmm.htm

• It defines how to go about performing a pen

test, but does not go into the actual tools.

12/7/2010 Penetration Testing

Technique – Penetration Testing

1) Gather Information 2) Scan IP addresses 3) Fingerprinting

4) Identify vulnerable services

(5)

9

Gathering Information

• Goal – Given a company’s name, determine information like:

– what IP address ranges they have

• WHOIS (arin.net …) • Nslookup – personal information • Social engineering • Google • we.register.it 12/7/2010 Penetration Testing

Scan IP Addresses

• Goal – Given a set of IP addresses, determine what services and Operating Systems each is running.

• Nmap – www.nmap.org

(6)

11

Fingerprinting

• What web server is running? • What accounts have I found? • What services are running? • What OSes are running? • Who is logged in?

• Is there available information on the web site?

12/7/2010 Penetration Testing

Identify Vulnerable Services

• Given a specific IP address and port, try to gain access to the machine. Report all known

vulnerabilities for this target.

• Nessus

• OpenVAS

(7)
(8)

Exploit vulnerability

• Try to exploit detected vulnerabilities, for example: – Buffer overflow – Heap overflow – SQL injection – Code injection – Cross-site scripting

• Metasploit is a framework that allows to test attacks

(9)

Alternatives

Tools Features

Core Impact Immunity Canvas SecurityForest Metasploit

License

25.000$

Open-source (but some libraries are only in binaries)

1.450$ Open source 3 months of updates and support

Free and Open-source Free and Open-source

Number of Exploits - more of 150 ~2500 (at February

2005)

191 (at October 2007)

Updates

Frequently (weekly) Frequently (average 4 exploit every month)

Occasionally (last updates in 2005)

Occasionally (last updates on October 2007)

Platform Only Windows Independent Only Windows Independent

Program Language

Python Python Perl for framework, many others languages for exploits (C,Perl,Python,Ruby,Sh ell,...) Ruby, C, Assembler Advantages Report system / Integrationwith vulnerability assessment tools

0-day payload Number of pre-compiled exploits (see ExploitationTree)

Free /

IDS-IPS evasion / support to write exploits and large used in security community

(10)

Nmap (Network Mapper)

Port Division

- open, closed, filtered, unfiltered, open|filtered and closed|filtered

Scanning techniques -sS (TCP SYN scan) -sT (TCP connect() scan) -sU (UDP scans)

-sA(TCP ACK scan) -sW (TCP Window scan) -sM (TCP Maimon scan)

--scanflags (Custom TCP scan)

-sI <zombie host[:probeport]> (Idlescan) -sO (IP protocol scan)

-sN; -sF; -sX (TCP Null, FIN, and Xmas scans) -b <ftp relay host> (FTP bounce scan)

12/7/2010 Penetration Testing 19

Identify active hosts and services

in the network

• ping sweep useful to identify targets and to verify also rogue hosts

• Ex:

– nmap -v -sP 192.168.100.0/24

• -sP Ping scan.

• port scanning useful to identify active ports (services or daemons) that are running on the targets

• Ex:

– nmap -v -sT 192.168.100.x

(11)

Identify target OS version

• OS Fingerprinting: there are different values for each OS (Ex. TCP stack, …) • Ex: Nmap –O <target>

linux 2.4 linux 2.6 openbsd windows 9x windows 2000windows xp

ttl 64 64 64 32 128 128

packet length 60 60 64 48 48 48

initial windows 5840 5840 16384 9000 16384 16384

mss 512 512 1460 1460 1460 1460

ip id 0 random random Increment increment increment

enabled tcp opt MNNTNW MNNTNW M M MNNT MNW

timestamp inc. 100hz 1000hz unsupported unsupported unsupported unsupported

sack OK OK OK OK OK OK

SYN attempts 5 5 4 3 3 3

12/7/2010 Penetration Testing 21

Vulnerability scanning

• Nessus

is a leader tool in vulnerability

scanning

• There are two components :

– nessusd server with plugins’ list of known vulnerabilities (there are different kinds of

subscription depending on how old are plugins) – nessus is a front end of the tool there are several

(12)

Introduction to Nessus

• Created by Renaud Deraison

• Currently Maintained by Tenable Network Security • Uses the NASL Scripting language for it’s plugins

(currently over 13,000 plugins!)

• Price is still Free! But no more open source

• Register to obtain many NASL plugins (7 day delay). • Or Purchase a Direct Feed for the Latest!

12/7/2010 Penetration Testing 23

Nessus Features

• Client/Server Architecture • SSL/PKI supported

• Smart Service Recognition

– (i.e. FTP on 31337)

• Non-Destructive or Thorough Tests

(13)

OpenVAS

• OpenSource Vulnerability Assessment Scanner • Previously GNessUs (a GPL fork of the Nessus) • OpenVAS is a security scanner to allow future

free development of the now-proprietary NESSUS tool

• OpenVAS now offers 15’000 Network Vulnerability Tests (NVTs) more all NASL plugins.

12/7/2010 Penetration Testing 25

(14)

Exploit vulnerabilities

• metasploit is a framework that allows to perform real attacks

• You need to start metasploit from the start menu

(Penetration Test->Framework 3)

– msfconsole

12/7/2010 Penetration Testing 27

Select the exploit and the payload

• Select an exploit:

– msf > use windows/http/altn_webadmin – msf exploit(altn_webadmin) >

• Select the payload for the exploit (setting the

PAYLOAD global datastore)

– msf exploit(altn_webadmin) >

(15)

Set options for exploit and payload

• Show options

– msf exploit(altn_webadmin) > show options

• Set the options:

– msf…> set RHOST 192.168.100.x TARGET IP

– msf…> set RPORT 1000 VULNERABLE SERVICE

– msf…> set LHOST 192.168.100.Y ATTACKER IP

– msf…> set TARGET 0 TYPE OF EXPLOIT

• Launch the exploit

– msf exploit(altn_webadmin) > exploit

12/7/2010 Penetration Testing 29

Vulnerabilities disclosure

• If we find a new vulnerability (Zero Day Vulnerability)

• What we have to do?

– Do not say anything and maintain the secret perhaps in the future the producer will fix it

– Spread the information:

• to all or just to the producer

– Which level of detail reveal

References

Download now ( PDF - 15 Page - 447.36 KB )

Related documents

A report of Mongolia’s renewal capital

The main attention of this thesis is on the most commonly used national intellectual capital framework, containing human capital, market capital, process capital,

OP-AMP AND ITS APPLICATIONS

The adder circuit provides an output voltage proportional to or equal to the algebraic sum of two or more input voltages each multiplied by a constant gain factor.. It is

Cronfa - Swansea University Open Access Repository

This allowed us to exhibit wellfounded induction as a special case of strictly positive induction and, in turn, to give a new presentation of the Archimedean property for real

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

Penetration Testing types According to attacker’s location: According to attacker’s initial information: External pentest Internal pentest. Black

Gateway_B2+_Test_Unit_8_A

C People question the meaning of life but don’t do anything to change things. D People want to get off the conveyor belt but they are

7 AVO Cross Plot

model of the previous slide, where the slide on the left shows an intercept x gradient product (A*B) and the slide on the right shows a weighted sum of the intercept and

VSC - Vodacom Satellite Connect

As indicated in the table the entry level VSC50 service, is provided with a 1GB Internet bundle with a maximum download speed of 512kbps and an upload speed of 128kbps with the

Depression and disordered gaming: does culture matter?

Conversely, research has suggested that excessive internet gaming behavior places gamers at higher risk for real-life dysfunction (e.g., the loss of one’s job) that would in